A number of programmable controllers have proven reliable in shutdown systems. For these programmable controllers, the manufacturers are dedicated to building a quality product, have well-defined software life cycles, have extensive quality assurance programs, and are committed to the customer. As maintenance and engineering personnel have become familiar with them, they have been found easier to troubleshoot, more reliable, less expensive to install and expand, and invaluable during initial startup due to the ease of making changes.
Program design should take advantage of the built-in diagnostics available. It is highly desirable for the designer to use a fully annotated program to describe the logic to help people troubleshoot the process logic, make changes safely and keep the documentation updated. However, because of the nature of solid-state electronics, programmable controllers can suffer failures with symptoms which are quite different from the more traditional relay logic. A single component failure within a programmable controller may cause process input scanning to stop or outputs to remain static. If the programmable controller is of conservative design and
incorporates internal failure detection with fail-off action—including a proven reliable watchdog timer—then the programmable controller can imitate the failure mode of a relay system, reducing troubleshooting difficulty and false trips.
Examples of faults that should be detected and annunciated by the programmable controller’s built-in diagnostic functions are:
• Processor failure
• Memory failure
• Remote I/O rack communication failure
• CPU power supply failure
• Battery backup failure
If a CRT based annunciator system is used, many other faults and potential problems can be detected and annunciated, such as:
• Individual card failure
• Remote I/O failure location
• Program write protection disabled
• Forced inputs or outputs
If programmable controllers are used in a triple circuit system with voting, the importance of internal fault detection is reduced. The triple circuit becomes its own fault detector.